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Abstract: Recently, supply chains (SCs) are applying information technology to enable data sharing 
among suppliers, instant access to information, and complete tracking of products. With more 
Cybersecurity risks present, such as theft of information, service interruptions, and financial 
resources risks, the vulnerability of systems is increased. The management of supply chain 
Cybersecurity, which encompasses information systems, software, and infrastructure, is the 
emphasis of the supply chain's safety measure. There are several serious danger that attack supply 
chain systems. Most SC Cybersecurity procedures are used to reduce the threats posed by 
vulnerabilities to those processes. Researchers have mostly concentrated on supply chain-related 
cyber physical system (CPS) issues. This study makes attempts to classify and evaluates the 
Cybersecurity insecurities of supply chains. In addition, this work provides an update of the analytic 
hierarchy process (AHP) method called a-discounting multi-criteria decision-making (a-D MCDM), 
which enables a more uniform assessment of supply chain cyber insecurities. This paper suggests 
using the a-D MCDM in various ways to address various supply chain evaluation problems. 
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1. Introduction 


A supply chain (SC), which is a combination of various entities that coordinate their procedures, 
targets and some system elements with those of suppliers, customers, and other external 
organizations. A SC consists of all operations associated with the movement of products, services, 
and information from suppliers to consumers [1]. Supply chain management (SCM) aims to deliver 
the appropriate item to the appropriate customer at the optimal cost, at the correct place, and at the 
optimal time. In order to increase process effectiveness as well as cost enhancement, businesses are 
now utilizing information technologies (IT) in their processes [2]. According to Singh et al. [3], the 
efficient use of IT tools guarantees an ongoing development of supply chains. 

Cyber-physical systems (CPS) are systems made up of physical ingredients, network 
infrastructures, embedded hardware, software, and connections between devices and sensors for 
transferring data. The development of CPS with SC operations has changed how supply chains 
operate in numerous ways over time [4]. An organization's information systems and information 
technologies, which improves supply chain productivity, may also be the source of security risks as 
well as weaknesses. The organization and business relationships through every phase of the supply 
chain is required for efficient and achievable supply chain management (SCM). Integrating 
technology into corporate operations improves overall productivity and even costs optimizing. Cyber 
threats are one of the difficulties brought on by utilizing CPS in supply chain processes [5]. 
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Modern industrial demands, such as decentralization and systems connectivity cannot be 
satisfied by the conventional supply chain architecture. In contrast, the utilization of CPS and the 
internet of things (IoT) leads to the production system being intelligently connected, which improves 
manufacturing, efficiency, and productivity increases [6]. Data authenticity, consistency, and security 
are some of the issues that come with growing connection, the volume of data, and their sensitive 
nature. Due to several factors, including software flaws and vulnerabilities discovered in any supply 
chain through data transfer, cyber-attacks could have consequences on supply chain processes [7]. 

In this paper, the objective is to categorize the cyber insecurities of cyber SC regarding to supply, 
operation, and customer. Firstly, cyber supply chain definitions are discussed and how it may 
improve the SCs performance and efficiency. Secondly, we describe the expansion of analytic 
hierarchy process (AHP), which, by addressing AHP's imperfections in order to evaluate the 
categories of the cyber insecurities that may attack supply chain. Thirdly, we put forth the concept of 
a multi-criteria decision-making (MCDM) framework that supports management in assessing supply 
chain cyber vulnerabilities by combining the a-discounting (a-D) with various MCDM techniques. 

This research is structured as follows: Section 2 reviews earlier papers on the cyber supply chain 
and cyber-attacks that could target the SC phases. In Section 3, discussion of cyber supply chain 
insecurities is presented. The suggested concept of evaluating cyber supply chain vulnerabilities 
based on a-D MCDM with various MCDM is presented in Section 4. The conclusion and future 
directions are made clear in Section 5. 


2. Literature Reviews 

Supply chains are now integrated with organizations through digital communication channels 
as a result of digitalization. In supply chains, all members become as powerful due to shared 
knowledge and security mechanisms along the supply chain, as stated by Pandey et al. [8]. An 
organization can achieve its strategic goals by utilizing the secure network infrastructure that supply 
chain Cybersecurity offers. While the way that organizations and industries function has changed 
significantly, as a result of the application of CPS in the field of SCs. However, CPS supply networks 
also brought forth a number of difficulties, including a lack of security measures and risk 
management [9]. 


2.1 Cyber Supply Chain 

The quality of services provided in the field of SC has steadily improved due to technological 
applications. Cheung et al. [10] investigated the Cybersecurity measures in SCM. Several major 
findings and relevant research initiatives related to Cybersecurity in logistics and SCM are discussed 
[10]. The research of Yeboah-Ofori et al. [11] tries to analyze and predict risks in order to improve 
Cybersecurity in the field of SCs. They used Cyber Threat Intelligence (CTI) to investigate and 
anticipate attacks based on CTI features [11]. 

Luo and Choi [12] focused their research on how firms make investments in Cybersecurity at a 
high cost. Because cyber-attacks pose a threat to e-commerce supply chains and its participants. 
Customers who buy things online run the danger of having their personal information hacked [12]. 
Pandey et al. [8] attempt to classify the Cybersecurity threats that arise as a result of supply chains 
working in cyber physical systems. The research provides a framework comprised of various cyber- 
attacks spanning information flows in global supply chains [8]. 


2.2 Cybersecurity and Supply Chain Risk 

In order to evaluate the influence of Cybersecurity on digital operations in the UAE 
pharmaceutical business, the research of Del Giorgio Solfa [13] examined empirical data. The results 
confirmed the strong positive association between supply chain risk and Cybersecurity in relation to 
digital operations [13]. The main goal of Melnyk et al.'s study from 2022 is to create a foundation for 
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future research on supply chain Cybersecurity [14]. A need for greater research on Cybersecurity 
throughout the supply chain is made in the paper's conclusion. An exploratory research technique 
was used, which drew on a number of sources to construct the research framework [14]. 

In order to investigate how supply chain managers view the components of cyber supply chain 
risk management and the degree to which this is aligned with increased cyber supply chain resilience, 
Creazza et al. [15] studied the subject of supply chain security. In order to better respond to cyber 
threats, this study revealed that Logistics Service Providers can play a significant role as 
administrators of the Cybersecurity process. The study also emphasizes how crucial it is to prioritize 
humans while enhancing supply chain cyber resilience. Using a data fusion technique, Hossain et al. 
[16] established a paradigm that takes into account supply chains’ resilience, sustainability, and 
Cybersecurity to determine how effectively they operate without interruption. A healthcare supply 
chain is used to verify the suggested framework [16]. In cyber supply chain risk analysis, SC 
weaknesses are frequently disregarded. To help with risk assessment and to investigate the intricate 
problems related to the demands for protecting hardware, firmware, software, and system data over 
the whole SC lifecycle, a novel SC cyber-attack framework is presented [17]. 


3. Cybersecurity Risks in Supply Chains 
3.1 Cyber Physical System Supply Chains 


Factors that make it difficult to model CPS effectively include the variety of systems and 
programming, the absence of representation of real-time operating systems, and timing-related 
system responsiveness [18]. The foundation of CPS is the fusion of both traditional and technological 
procedures. CPS encompass machines, structures, vehicles, and other means of transportation as well 
as logistical, management procedures, and internet-based services [19]. While devices are used to 
respond to industrial or organisational changes and connect with other components, sensors help 
CPS gather, organise, and analyse data. CPS can be employed to handle a variety of concerns, 
including manufacturing, logistics, quality control, planning, and scheduling operations within the 
supply chain [20]. 


3.2 Cybersecurity Risks Categories Occurring along Supply Chains 

Cyber supply chain systems based on CPS are frequently vulnerable to cyber-attacks 
notwithstanding their advantages in terms of safety and dependability. At a time, there are more and 
more advanced cyber-attacks that have a variety of negative effects on al supply chain operations and 
businesses. Attacks against emerging CPS can also have a negative effect, particularly on those that 
function in the logistics and SCM sectors [21]. Supply, operations, and demand are the three key 
supply chain stages that can be used to categorise cyber supply chain insecurities as shown in Table 
if 
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Table 1. Cybersecurity risks of cyber supply chains and their categorization. 
Risks categories Risk types 


Lack of availability of providers 
Vendor credentials hacked 
Supply risks Vulnerability of the supplier's connection 
Malware-induced source code alteration 
Provision of tainted software 
Disruption of the manufacturing facility 
Unexpected breakdown of the manufacturing's operations 
Operations risks Missing coding errors 
Invalid product specifications 
Information leakage 
Theft of inventions 
Altering information 


; Access of Client information without permission 
Demand risks ; = 
Deceptive communication 


Data destruction 


Unlicensed payment processors 


e Supply Insecurities 

Supply risks are the incident related to incoming supplies that could lead to supplier failures. 
The firm's difficulties to satisfy client demand is the result of these failings. Prior to the final 
manufacturing, suppliers frequently give the companies with the necessary parts. Therefore, it's 
essential to effectively manage the supply chain of Cybersecurity products in accordance with the 
requirements of the Cybersecurity strategy [22]. 
e¢ Operational Insecurities 

Operations risk is defined as the potential for an occurrence that has an impact on the firm's 
capability to provide goods and services, productivity, and its financial performance. These risks 
arise from a major breakdown in the access restrictions on supply chain operations, which gives the 
attacker the ability to interrupt business [23]. 
e Demand Insecurities 

Demand risk is defined as the potential of a situation involving outgoing transactions that could 
change the possibility of clients placing orders with the business. Demand risk results from the 
unanticipated change in markets and business breakdown. The public's opinions are impacted by the 
supply risks in CPS, and the associated demand also creates the demand risks [24]. 


4. Application of a-D MCDM to evaluate Cybersecurity Risks of Supply Chain 


4.1 a-D MCDM Definitions 

In this research, we examine a novel method that extends Saaty's AHP and is known as the a-D 
MCDM. This method can be applied to any set of preferences that can be transformed into a set of 
homogeneous linear equations [25]. It is helpful not only for preferences that are pairwise 
comparisons of criteria as AHP does, but also for preferences of any n-wise (with n 2 2) assessments 
of criteria that can be expressed as linear homogeneous formulas. 

The overall aim of a-D MCDM is to change the null-solution of linear homogeneous system, into 
a non-null solution system, by reduce or raise the coefficients in the right-hand side [26]. 
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Additionally, this approach has an edge in that it can convert those MCDM issues that the AHP has 
categorized as inconsistent into a consistent form. Taking a decision among the options available to 
a decision maker is not an easy task since most often, numerous criteria with diverse orientations are 
used in place of a single criterion with a single direction in the decision-making process. That’s why, 
a-D MCDM is a good choice in such evaluation problems. 


4.2 Application of a-D MCDM 

The MCDM techniques in the literature have benefits and drawbacks. AHP is constrained in the 
way some issues are structured. The most beneficial advantage of the a-D MCDM that is not limited 
by the number of comparisons of criteria. By decreasing or increasing the linear evaluation equation 
coefficients at/to specific amounts, a-D MCDM can solve the problem of converts an inconsistency of 
the problem. The following are the procedure steps for a-D MCDM [27]: 

1. Let X = {X,,X2,X3,...,X,},n = 2, be a problem structure components. The group of preferences 
is R = {R,,R2,R3,..,Rm}, m= 1. Each preference R,, represent the relationship to a certain 
criteria X, as followsRm = f((X1, X2,X3, .., Xp). Let us build a basic belief assignment (bba) for 
the weights of the problem components. m: X > [0,1], where m(X;) = x;,0 < x; < 1. 

n n 


Yi mx) => x =f 


i=1 
2. In order to get the variable x; in accordance with preferences R, build mxn linear 
homogeneous matrix A = (a;;) as follows 
X41W4 + X1,2W2 Se X1nWn = 0 | 


Xm1W1 + Xm,2W2 Se XmnWn I 0 


X41 we Xin 
A= 


Xm1i « Xman 


3. Calculate the determinant det(A) of the matrix A. If det(A) = 0, then the system is consistent. 
Otherwise, it’s inconsistent. 

4. After examine the problem consistency, if the problem is inconsistent, then do the following 
steps of a discounting: 

e Introduce a new matrix called A(a) by increasing or decreasing the right hand side 
with a, then compute a that makes the determinant equal 0 using the Fairness 
principle (equalize all parameters). Then, solve the system. 

e Substitute the secondary variables by 1 and then, normalize the result. 


4.3 a-D MCDM in the Evaluation of Cyber Insecurities Categories of Cyber Supply Chains 

a-D MCDM outperforms AHP in the evaluation of n-wise comparisons. According to the 
literature, we used the a-D MCDM in this study to quantify the cyber insecurities of cyber SCs. In 
order to use this approach, we consult with a SCM specialist who can provide us with advice on the 
relative importance of each category of supply chain cyber threats. 

Let’s propose that supply risks is x, operations risks is y, and demand risk is z. The following is 
the expert's preference: 


i. Supply risks is as important as 2 times of operations risks plus 3 times of demand risks. 
ii. | Operations demand is 4 times as important as supply risks. 
iii. | Demand risks is 5 times as important as supply risks. 
x= 2y4+3z 1 -2 -3 
y=4x A= |]-4 1 0 | 
Z=5x -5 O 1 


As det # 0, so right-side coefficient must be parameterized. 
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x = 2a,y + 3a2z 
y=4a3x ;where a, @ a3 A,a,a,>0. 
Z = 54x 


The a-D MCDM outperforms AHP in the evaluation of n-wise comparisons. According to the 
literature, we used the a-D MCDM in this study to quantify the cyber insecurities of cyber SCs. In 
order to use this approach, we consult with a SCM specialist who can provide us with advice on the 
relative importance of each category of supply chain cyber threats. 

Then, we will solve the system: 

x = 2a,(4a3x) + 3a2(5a4x) 

1 = 8a,a,+15a,a, Set 1 to the secondary variable 
Let a, = @2 = @3 = a, =a >0 


1 = 8a? + 15a? (Parametric equation) 
a = [23/23 
S=[1 4a, 5a, | (Priority vector) 
sa[1 #2 9B 

~ 23 23 


Normalized priority vector to find the weight of each cyber insecurities category. 

W =[0.3476, 0.2899, 0.3625] 

The a-D MCDM method was used to evaluate the three cyber insecurities of supply chains, and based 
on expert preferences, demand risks were found to be the superior element with a weight of 0.3625. 
The supply risks and operation risks are ranked second and third, with weights of 0.3476 and 0.2899, 
respectively as presented in Figure 1. 


m@ Weights of the three cyber insecurities of supply chains 


0.45 


0.4 0.3625 0.3476 


0.35 
0.2899 

0.3 
0.25 


0.2 


Weight value 


0.15 


0.1 


0.05 


Demand risks Operatins risks Supply risks 
The three cyber insecurities of supply chains 


Figure 1. Weights of the three cyber insecurities of supply chains. 


5. Conclusion and Future Works 


Managing cyber insecurities in SCs is a significant concern for organizations seeking to remain 
competitive in today's market. The digital transformation of the supply chain has resulted in a 
platform with fewer silos. Risks that attacks data are higher than ever. While new technologies have 
provided up new supply chain management opportunities, they have also produced potential 
security holes that cybercriminals may exploit. Thus, in this study the cyber insecurities that facing 
the cyber supply chains have been highlighted. According to the literature, the cyber supply chain 
insecurities are categorized into three types: supply risks, operational risks, and demand risks. Also, 
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the a-D MCDM method was discussed and applied to evaluate the three categories of cyber supply 
chain insecurities in sufficient manner. 

Our future plan is to apply an integrated MCDM framework to evaluate the overall cyber 
insecurities that face the cyber supply chains as a result of the noticeable trend towards fourth and 
fifth generation technologies for industry. The integrated framework that suggested in the future 
studies is recommended to be as integration between a discounting method and other MCDM 
method to evaluate the main insecurities and its corresponding risks. 
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